InvGen: An Efficient Invariant Generator
|
|
- Leo Cannon
- 8 years ago
- Views:
Transcription
1 InvGen: An Efficient Invariant Generator Ashutosh Gupta and Andrey Rybalchenko Max Planck Institute for Software Systems (MPI-SWS) Abstract. In this paper we present InvGen, an automatic linear arithmetic invariant generator for imperative programs. InvGen s unique feature is in its use of dynamic analysis to make invariant generation order of magnitude more efficient. 1 Introduction Program verification relies on invariants for reasoning about sets of reachable states [3]. Synthesizing invariants that satisfy a given assertion is a difficult task. The scalability of existing approaches to invariant generation is severely limited due to the high computation cost of the underlying symbolic reasoning techniques. We present InvGen, an automatic tool for the generation of linear arithmetic invariants for imperative programs. InvGen uses a constraint-based approach to generate invariants [2]. InvGen combines it with static and dynamic analysis techniques to solve constraints efficiently [4]. InvGen provides an order of magnitude efficiency improvement wrt. the existing tools, see [5]. This improvement enables InvGen s application for automatic software verification, e.g., for refinement of predicate abstraction by generating invariants for program fragments determined by spurious counterexamples [1]. In this paper, we describe the design and implementation of InvGen and present a collection of optimizations that were necessary to achieve the desired scalability. We also describe our experience with applying InvGen on challenge benchmarks [8] and micro-benchmarks, which containing code fragments that are difficult to analyze automatically. The experimental results indicate that InvGen is a practical tool for software verification. 2 Usage InvGen takes as input a program over linear arithmetic expressions that is given in C syntax or as a transition relation. 1 InvGen uses a template based technique to compute invariants, which requires that a set of templates is given as input to the tool. A template is a Boolean combination of linear inequalities over program variables with coefficients that are kept as parameters. As a result, 1 See [5] for the syntax of transition relations.
2 1: x=0; 2: assume(n>0); 3: while(x<n){ 4: x++; 5: } 6: assert(x==n); 1: x=0; 2: while(x<n){ 3: x++; 4: } 5: if(n>0) 6: assert(x==n); (a) 1: assume(p); 2: while(p){ 3:... 4: assume(q); 5: } 6: assert(q); (b) Fig. 1. Example simple.c. Fig.2. Examples requiring disjunctive invariants. InvGen either returns an invariant that proves the non-reachability of the error location or fails. InvGen offers a collection of heuristics to improve scalability of invariant generation, and allows one to explore various combination of these heuristics. Support of dynamic/static analysis can be disabled/enabled with some parameters. Dynamic analysis can be performed using concrete or symbolic execution. Other tools can be used to generate test executions for InvGen. InvGen can run in the server mode, in which it communicates its input/output via standard input and output streams. The full set of options is described online [5]. 3 Tool In this section we briefly present the algorithm used by InvGen and focus on the tool design and implementation. 3.1 Algorithm InvGen computes linear arithmetic invariants that prove the non-reachability of the error location. We will call such invariants safe. InvGen applies the template based approach [2] for the invariant generation, which assumes an invariant template at each cut-point location in the program, i.e., at loop entry locations. Each invariant template consists of parameterized linear inequalities over the program variables. The specific goal of invariant generation is to find an instantiation of the template parameters that yields a safe invariant. The invariant templates at the start and error locations of the program are true and false, respectively. A template instantiation yields an invariant if each program path stmt1;...;stmtn; between each pair l and l of adjacent cut-points satisfies the inductiveness condition: the instantiated invariant templates η(l) and η(l ) at the respective cut-points together with the program path form a valid Hoare triple {η(l)}stmt1;...;stmtn;{η(l )}. 2 We translate the inductiveness condition into an arithmetic constraint over the template parameters. Each solution of this constraint yields a safe invariant. 2 {P }stmts{q} is a valid Hoare triple if each computation that starts in a state satisfying the assertion Q either terminates in a state satisfying Q or diverges [7]. In our case, program paths are loop free and hence terminating. 2
3 See Figure 1. The example program simple.c contains a statement assert(p), which is a short form for if (!p) ERROR;. The entry location of the while loop is a cut-point location l 3. At this location we assume an invariant template α x x + α n n α, where α x, α n, α are unknown parameters. The inductiveness condition for the path from the start location to the loop entry requires the validity of the triple {true}x = 0;assume(n > 0); {η(l 3 )}, the condition for the loop iteration is {η(l 3 )}assume(x < n);x = x + 1; {η(l 3 )}, and the path from the loop entry to the error location produces {η(l 3 )}assume(x n); assume(x n); {false}. The resulting arithmetic constraint has a following solution for template parameters: α x = 1, α n = 1, and α = 0. Hence, x n 0 is a safe invariant. Arithmetic constraints that encode the inductiveness condition contain nonlinear arithmetic expressions and are difficult to solve. InvGen improves performance of the constraint solving by adding information collected using dynamic and static analysis techniques. In the dynamic analysis phase, we execute the program according to a coverage criterion and collect the reached states. By definition, each reached state must satisfy program invariants. For each reached state, we substitute the program variables occurring in the invariant template at the corresponding control location by their values in the state. Thus, we obtain linear constraints over template parameters. For simple.c, assume a reached state at the loop entry such that (x = 0, n = 1). After substituting program variable by their values in the above template for the location l 3 we obtain the constraint over template parameters α x 0 + α n 1 α. Such linear constraints improve the efficiency of constraint solving [4]. In the static analysis phase, we first apply abstract interpretation in a eager fashion to compute a collection of invariants which are not necessarily strong enough to prove the non-reachability of the error location that holds for the program, and then annotate the program with these invariants. The invariants obtain using abstract interpretation allow InvGen to focus on the synthesis missing, complex invariants in a goal directed way. Such invariants may be missed by the abstract interpreter due to the necessary precision loss of join and widening operators and the limited precision of efficient abstract domains. 3.2 Design Program Template We present the design of InvGen in Figure 3. The input program is passed to the dynamic and static analyzers. The results of each analysis together with the program and the templates are passed to the constraint generator. The generated constraints are solved by a constraint solver. If the solver succeeds then InvGen returns a safe invariants. Static Analysis Dynamic Analysis Constraint Generator Constraint solver Success Failure Invariants Failed Fig. 3. InvGen design. 3
4 3.3 Implementation Figure 4 outlines the implementation of InvGen. It is divided into two executables, frontend and InvGen. The frontend executable contains a CIL [10] based interface to C and an abstract interpreter InterProc [9]. The frontend takes a program procedure written in C language as an input, and applies InterProc on the program three times using the interval, octagon, and polyhedral abstract domains. Then, the frontend outputs the transition relation of the program that is a annotated with the results computed by InterProc. Se [5] for the output format. Next, we describe the components of InvGen, following Figure 4. After all iterations Results C input C frontend Abstract interpreter Program minimizer Dynamic Analysis Simplifier For each error path Constraint solver Failure Failed Simplifier Success Frontend InvGen Fig. 4. InvGen implementation. Program minimizer InvGen minimizes the transition relation of the program to reduce the complexity of constraint solving. InvGen computes a minimal set of cut-point locations, and replaces each cut-point free path by a single, compound program transition. The unsatisfiable and redundant transitions are eliminated. At this phase, the invariants obtained from InterProc can lead to the elimination of additional transitions. Dynamic analysis InvGen collects dynamic information for the minimized program using either concrete and symbolic execution. In case of concrete execution, InvGen collects a finite set of reachable states by using a guided testing technique. Otherwise, InvGen performs a bounded, exhaustive symbolic execution of the program. By default, the bound is set to the number of cut-points in the program. The user can limit the maximum number of visits for each cut-point during the symbolic execution. Simplifier InvGen simplifies all arithmetic constraints locally at each step of the algorithm. Consider the phase when the dynamic analysis using symbolic execution produces additional linear constraints over template parameters. These constraints contain existentially quantified variables, and the scope of the quantifier is rather limited. For simple.c, assume that a symbolic state x = 0 n 0 is reached at the loop entry location. For any template evaluation, the symbolic state is subsumed by the invariant, hence (x = 0 n 0) (α x x + α n n α). After the elimination of program variables InvGen obtains the constraints λ 0 λ = α n α 0, where λ is an existentially quantified variable. λ does not appear anywhere in the constraint and can be eliminated locally. As a result, we obtain α n 0 α 0. 4
5 InvGen also simplifies constraints obtained by the concrete execution and abstract interpretation. Constraint solver The inductiveness conditions result in non-linear arithmetic constraints. For simple.c, the inductiveness condition for the error path {η}assume(x > n); {false} translates to the implication α x x + α n n α x > n 1 0 with universal quantification over the program variables. After the elimination of the program variables, InvGen obtains the non-linear constraint λ 0 δ 0 λα x = δ λα n + δ = 0 λα + 1 δ, where λ and δ are existentially quantified, non-negative variables that encode the implication validity. In practice, such existentially quantified variables range over a small domain, typically they are either 0 or 1. InvGen leverages this observation in order to solve the constraints by performing a case analysis on the variables with small domain. Each instance of case analysis results in a linear constraint over template parameters, which can be solved using a linear constraint solver. This approach is incomplete, since InvGen does not take all possible values during the case analysis, however it is effective in practice. Multiple paths to error location A program may have multiple cut-point free paths that lead to the error location, which we refer to as error paths. InvGen deals with multiple error paths in an incremental fashion for efficiency reasons. Instead taking inductiveness conditions for all error paths into account, InvGen computes a safe invariant for one error path at a time. Already computed invariants are used as strengthening when dealing with the remaining error paths. 4 Discussion We highlight several important aspects of InvGen in detail. Abstract interpretation The template instantiation computed by InvGen may rely on the invariants discovered during the abstract interpretation phase. InvGen keeps track of such invariants and reports them to the user. Template generation The applicability of InvGen depends on the choice of invariant templates. If the template is too expressive, e.g., if it admits a number of conjuncts that is larger than required, then the efficiency of InvGen is decreasing due to the increased difficulty of constraint solving. A template that is not expressive enough cannot yield a desired invariant. In our experience, the majority of invariants require a template that is a conjunction of two linear inequalities. This surprisingly small number of conjuncts is due to the strengthening using invariants obtained during the abstraction interpretation phase InvGen focuses on the missing invariants. By default, for each cut-point location InvGen assumes a conjunction of two parametric linear inequalities as a template. 5
6 File InvGen** InvGen* InvGen Seq 23.0s 0.5s 0.5s Seq-z3 23.0s 0.5s 0.5s Seq-len T/O T/O 2.8s nested T/O 17.0s 2.3s svd(light) T/O 10.6s 14.2s heapsort T/O 19.2s 13.3s mergesort T/O 142s 170s Spam-loop T/O 0.28s 0.4s apache-tag 0.4s 0.6s 0.7s sendmail-qp 0.3s 0.3s 0.3s Table 1. Performance of InvGen on benchmark inspired by [8]. InvGen* does not apply dynamic analysis. InvGen** applies neither static nor dynamic analysis. T/O means time out after 10 minutes. File Blast Blast + InvGen Seq diverge 8 Seq-len diverge 9 fregtest diverge 3 sendmail-qp diverge 10 svd(light) Spam-loop apache-escape apache-tag sendmail-angle sendmail-7to Table 2. Application of InvGen for the predicate discovery in Blast using path invariants. We show the number of refinement steps required to prove the property. Disjunction The user can provide disjunctive templates to InvGen, which yields disjunctive invariants. Currently, InvGen is not practical for disjunctive invariants. Nevertheless, programs that require disjunctive invariants appear often in practice, as illustrated in Figure 2. Example 2(a) relies on a disjunctive loop invariant n x n < 0 to prove the assertion. Similarly, Example 2(b) requires a disjunctive loop invariant p q. Avoiding such program patterns improves the effectiveness of InvGen. For example, adding a commonly used assumption n 0 at the start location of the program in Figure 2(a) eliminates the need for disjunctive invariants. Concrete vs. symbolic dynamic analysis In our evaluation, dynamic analysis using symbolic execution performs better than with the concrete execution. Symbolic execution produces a smaller set of constraints and leads to the improvement of the constraint solving efficiency that is never worse the one achieved by the concrete execution. 5 Experiences Verification benchmarks We applied InvGen on a collection of programs that are difficult for state-of-the-art software verification tools [8]. The collection consists of 12 programs. Due to short running times, we present the aggregated data and do not provide information for each program individually. Using the polyhedral abstract domain, InterProc computes invariants that are strong enough to prove the assertion for six programs in the collection. InvGen handles 11 examples in 6.3 seconds, and times out on one program. Effect of static and dynamic analysis The collection [8] does not allow us to perform a thorough experimental evaluation of InvGen, since the running 6
7 times on these examples are too short. We constructed a set of more interesting programs that is inspired by [8] by extending the programs from this collection with additional loops and branching statements. Table 1 shows the effect of static and dynamic analysis when dealing with the constructed examples. Random input We developed a tool for the generation of random program. We try these random programs with InvGen without testing then with testing feature. We generated 17 programs with three cut-point and one error location in each of them, see [5]. We observed that for these programs, dynamic analysis either improves or at least does not decrease the efficiency of invariant generation. In four cases, the efficiency of InvGen increased by two orders of magnitude. Integration with Blast We have modified the abstraction refinement procedure of the Blast software model checker [6] by adding predicate discovery using path invariants [1]. Table 2 indicates that constraint based invariant generation can be an effective tool for refining predicate abstraction. For several examples, Blast diverged due to the disability to find the right set of predicates. In these cases, InvGen enabled the successful termination of the verification attempt, while for other cases it reduced the number of the number of refinement iterations by %. References 1. D. Beyer, T. A. Henzinger, R. Majumdar, and A. Rybalchenko. Path invariants. In Proc. PLDI, pages ACM Press, M. Colón, S. Sankaranarayanan, and H. Sipma. Linear invariant generation using non-linear constraint solving. In CAV, pages Springer, R. W. Floyd. Assigning meanings to programs. In Mathematical Aspects of Computer Science. AMS, A. Gupta, R. Majumdar, and A. Rybalchenko. From tests to proofs. In Proc. TACAS. Springer, A. Gupta and A. Rybalchenko. InvGen: an efficient invariant generator T. Henzinger, R. Jhala, R. Majumdar, and K. McMillan. Abstractions from proofs. In POPL 04: Principles of Programming Languages, pages ACM, C. A. R. Hoare. An axiomatic basis for computer programming. Communications of ACM, K. Ku, T. Hart, M. Chechik, and D. Lie. A buffer overflow benchmark for software model checkers. In Proc. ASE, G. Lalire, M. Argoud, and B. Jeannet. The interproc analyze. -forge/interproc/index.html. 10. G. C. Necula, S. McPeak, S. P. Rahul, and W. Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In Proc. CC, pages Springer,
Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia
Chair of Software Engineering Software Verification Assertion Inference Carlo A. Furia Proving Programs Automatically The Program Verification problem: Given: a program P and a specification S = [Pre,
More informationA Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation
PLDI 03 A Static Analyzer for Large Safety-Critical Software B. Blanchet, P. Cousot, R. Cousot, J. Feret L. Mauborgne, A. Miné, D. Monniaux,. Rival CNRS École normale supérieure École polytechnique Paris
More informationCoverability for Parallel Programs
2015 http://excel.fit.vutbr.cz Coverability for Parallel Programs Lenka Turoňová* Abstract We improve existing method for the automatic verification of systems with parallel running processes. The technique
More informationModel Checking: An Introduction
Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI
More informationnpsolver A SAT Based Solver for Optimization Problems
npsolver A SAT Based Solver for Optimization Problems Norbert Manthey and Peter Steinke Knowledge Representation and Reasoning Group Technische Universität Dresden, 01062 Dresden, Germany peter@janeway.inf.tu-dresden.de
More informationIKOS: A Framework for Static Analysis based on Abstract Interpretation (Tool Paper)
IKOS: A Framework for Static Analysis based on Abstract Interpretation (Tool Paper) Guillaume Brat, Jorge A. Navas, Nija Shi, and Arnaud Venet NASA Ames Research Center, Moffett Field, CA 94035 Abstract.
More informationStatic Program Transformations for Efficient Software Model Checking
Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major
More informationVerification of Imperative Programs in Theorema
Verification of Imperative Programs in Theorema Laura Ildikó Kovács, Nikolaj Popov, Tudor Jebelean 1 Research Institute for Symbolic Computation, Johannes Kepler University, A-4040 Linz, Austria Institute
More informationFoREnSiC An Automatic Debugging Environment for C Programs
FoREnSiC An Automatic Debugging Environment for C Programs Roderick Bloem 1, Rolf Drechsler 2, Görschwin Fey 2, Alexander Finder 2, Georg Hofferek 1, Robert Könighofer 1, Jaan Raik 3, Urmas Repinski 3,
More informationµz An Efficient Engine for Fixed points with Constraints
µz An Efficient Engine for Fixed points with Constraints Kryštof Hoder, Nikolaj Bjørner, and Leonardo de Moura Manchester University and Microsoft Research Abstract. The µz tool is a scalable, efficient
More informationCombining Static Analysis and Test Generation for C Program Debugging
Combining Static Analysis and Test Generation for C Program Debugging Omar Chebaro 1,2, Nikolai Kosmatov 1, Alain Giorgetti 2,3, and Jacques Julliand 2 1 CEA, LIST, Software Safety Laboratory, PC 94, 91191
More informationBuilding SMT-based Software Model Checkers: an Experience Report
Building SMT-based Software Model Checkers: an Experience Report Alessandro Armando Artificial Intelligence Laboratory (AI-Lab) Dipartimento di Informatica Sistemistica e Telematica (DIST) University of
More informationCS510 Software Engineering
CS510 Software Engineering Propositional Logic Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-cs510-se
More informationThe software model checker BLAST
Int J Softw Tools Technol Transfer (2007) 9:505 525 DOI 10.1007/s10009-007-0044-z SPECIAL SECTION FASE 04/05 The software model checker BLAST Applications to software engineering Dirk Beyer Thomas A. Henzinger
More informationInfer: An Automatic Program Verifier for Memory Safety of C Programs
Infer: An Automatic Program Verifier for Memory Safety of C Programs Cristiano Calcagno and Dino Distefano Monoidics Ltd, UK Abstract. Infer 1 is a new automatic program verification tool aimed at proving
More informationIntroducing Formal Methods. Software Engineering and Formal Methods
Introducing Formal Methods Formal Methods for Software Specification and Analysis: An Overview 1 Software Engineering and Formal Methods Every Software engineering methodology is based on a recommended
More informationFormal Verification Coverage: Computing the Coverage Gap between Temporal Specifications
Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering
More informationTowards practical reactive security audit using extended static checkers 1
Towards practical reactive security audit using extended static checkers 1 Julien Vanegue 1 Shuvendu K. Lahiri 2 1 Bloomberg LP, New York 2 Microsoft Research, Redmond May 20, 2013 1 The work was conducted
More informationReasoning About the Unknown in Static Analysis
Reasoning About the Unknown in Static Analysis Isil Dillig Thomas Dillig Alex Aiken {isil, tdillig, aiken}@cs.stanford.edu Computer Science Department Stanford University ABSTRACT Static program analysis
More informationThe Software Model Checker BLAST: Applications to Software Engineering
International Journal on Software Tools Technology Transfer manuscript No. (will be inserted by the editor) Dirk Beyer Thomas A. Henzinger Ranjit Jhala Rupak Majumdar The Software Model Checker BLAST:
More informationNon-Monotonic Program Analysis
Non-Monotonic Program Analysis Daniel Schwartz-Narbonne Philipp Rümmer Martin Schäf Ashish Tiwari New York University Uppsala University SRI International SRI International Thomas Wies New York University
More informationIntroduction to Static Analysis for Assurance
Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis?
More informationAutomated Detection of Non-Termination and NullPointerExceptions for Java Bytecode
Automated Detection of Non-Termination and NullPointerExceptions for Java Bytecode Marc Brockschmidt, Thomas Ströder, Carsten Otto, and Jürgen Giesl LuFG Informatik 2, RWTH Aachen University, Germany Abstract.
More informationUFO: Verification with Interpolants and Abstract Interpretation
: Verification with Interpolants and Abstract Interpretation and Sagar Chaki Software Engineering Institute Carnegie Mellon University Aws Albarghouthi, Yi i and Marsha Chechik University of Toronto A
More informationPREDICATE GENERATION FOR LEARNING-BASED QUANTIFIER-FREE LOOP INVARIANT INFERENCE
PREDICATE GENERATION FOR LEARNING-BASED QUANTIFIER-FREE LOOP INVARIANT INFERENCE YUNGBUM JUNG, WONCHAN LEE, BOW-YAW WANG, AND KWANGKUEN YI Seoul National University, Korea e-mail address: dreameye@ropas.snu.ac.kr
More informationConstructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers
Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers TIMOTHY S. GEGG-HARRISON Winona State University Although computer scientists understand the importance of discrete
More informationOptimizing Database-Backed Applications with Query Synthesis
Optimizing Database-Backed Applications with Query Synthesis Alvin Cheung Armando Solar-Lezama Samuel Madden MIT CSAIL {akcheung, asolar, madden}@csail.mit.edu Abstract Object-relational mapping libraries
More informationGameTime: A Toolkit for Timing Analysis of Software
GameTime: A Toolkit for Timing Analysis of Software Sanjit A. Seshia and Jonathan Kotker EECS Department, UC Berkeley {sseshia,jamhoot}@eecs.berkeley.edu Abstract. Timing analysis is a key step in the
More informationStaRVOOrS: A Tool for Combined Static and Runtime Verification of Java
StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java Jesús Mauricio Chimento 1, Wolfgang Ahrendt 1, Gordon J. Pace 2, and Gerardo Schneider 3 1 Chalmers University of Technology, Sweden.
More informationAutomatic Verification by Abstract Interpretation
Automatic Verification by Abstract Interpretation (Invited tutorial) Patrick Cousot École normale supérieure, Département d informatique, 45 rue d Ulm, 75230 Paris cedex 05, France Patrick.Cousot@ens.fr
More informationOne More Decidable Class of Finitely Ground Programs
One More Decidable Class of Finitely Ground Programs Yuliya Lierler and Vladimir Lifschitz Department of Computer Sciences, University of Texas at Austin {yuliya,vl}@cs.utexas.edu Abstract. When a logic
More informationRigorous Software Development CSCI-GA 3033-009
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11 Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical
More informationSoftware testing. Objectives
Software testing cmsc435-1 Objectives To discuss the distinctions between validation testing and defect testing To describe the principles of system and component testing To describe strategies for generating
More informationElementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University http://www.cs.stonybrook.
Elementary Number Theory and Methods of Proof CSE 215, Foundations of Computer Science Stony Brook University http://www.cs.stonybrook.edu/~cse215 1 Number theory Properties: 2 Properties of integers (whole
More informationSoftware Verification: Infinite-State Model Checking and Static Program
Software Verification: Infinite-State Model Checking and Static Program Analysis Dagstuhl Seminar 06081 February 19 24, 2006 Parosh Abdulla 1, Ahmed Bouajjani 2, and Markus Müller-Olm 3 1 Uppsala Universitet,
More informationRegression Verification: Status Report
Regression Verification: Status Report Presentation by Dennis Felsing within the Projektgruppe Formale Methoden der Softwareentwicklung 2013-12-11 1/22 Introduction How to prevent regressions in software
More informationModel-based Test Case Generation for (Dynamic) Software Product Lines
Model-based Test Case Generation for (Dynamic) Software Product Lines The 6th Meeting on Feature-oriented Software Development 2014, May 04-07 Schloss Dagstuhl, Germany DFG Priority Programme 1593 Design
More informationA Static Analyzer for Large Safety-Critical Software
A Static Analyzer for Large Safety-Critical Software (Extended Abstract) Bruno Blanchet Patrick Cousot Radhia Cousot Jérôme Feret Laurent Mauborgne Antoine Miné David Monniaux Xavier Rival ABSTRACT We
More informationAutomated Theorem Proving - summary of lecture 1
Automated Theorem Proving - summary of lecture 1 1 Introduction Automated Theorem Proving (ATP) deals with the development of computer programs that show that some statement is a logical consequence of
More informationRigorous Software Engineering Hoare Logic and Design by Contracts
Rigorous Software Engineering Hoare Logic and Design by Contracts Simão Melo de Sousa RELEASE (UBI), LIACC (Porto) Computer Science Department University of Beira Interior, Portugal 2010-2011 S. Melo de
More informationHMC: Verifying Functional Programs Using Abstract Interpreters
HMC: Verifying Functional Programs Using Abstract Interpreters Ranjit Jhala 1, Rupak Majumdar 2, and Andrey Rybalchenko 3 1 UC San Diego 2 MPI-SWS 3 TU München Abstract We present Hindley-Milner-Cousots
More informationAlgorithms are the threads that tie together most of the subfields of computer science.
Algorithms Algorithms 1 Algorithms are the threads that tie together most of the subfields of computer science. Something magically beautiful happens when a sequence of commands and decisions is able to
More informationSoftware Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland
Software Testing & Analysis (F22ST3) Static Analysis Techniques Andrew Ireland School of Mathematical and Computer Science Heriot-Watt University Edinburgh Software Testing & Analysis (F22ST3): Static
More informationModel Checking of Software
Model Checking of Software Patrice Godefroid Bell Laboratories, Lucent Technologies SpecNCheck Page 1 August 2001 A Brief History of Model Checking Prehistory: transformational programs and theorem proving
More informationGlobal Constraints in Software Testing Applications
Global Constraints in Software Testing Applications Arnaud Gotlieb Simula Research Laboratory Norway 1/34 The Certus Centre Software Validation and Verification Cisco Systems Norway Hosted by SIMULA Established
More informationDistributed and Predictable Software Model Checking
Distributed and Predictable Software Model Checking Nuno P. Lopes 1 and Andrey Rybalchenko 2 1 INESC-ID / IST, TU Lisbon 2 Technische Universität München Abstract. We present a predicate abstraction and
More informationFormal Verification of Software
Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification
More informationIEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 33, NO. 11, NOVEMBER 2014 1611
IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 33, NO. 11, NOVEMBER 2014 1611 An SMT Based Method for Optimizing Arithmetic Computations in Embedded Software Code Hassan
More informationMonitoring Metric First-order Temporal Properties
Monitoring Metric First-order Temporal Properties DAVID BASIN, FELIX KLAEDTKE, SAMUEL MÜLLER, and EUGEN ZĂLINESCU, ETH Zurich Runtime monitoring is a general approach to verifying system properties at
More informationResearch Statement Immanuel Trummer www.itrummer.org
Research Statement Immanuel Trummer www.itrummer.org We are collecting data at unprecedented rates. This data contains valuable insights, but we need complex analytics to extract them. My research focuses
More informationRandom vs. Structure-Based Testing of Answer-Set Programs: An Experimental Comparison
Random vs. Structure-Based Testing of Answer-Set Programs: An Experimental Comparison Tomi Janhunen 1, Ilkka Niemelä 1, Johannes Oetsch 2, Jörg Pührer 2, and Hans Tompits 2 1 Aalto University, Department
More informationFixpoint Computation in the Polyhedra Abstract Domain using Convex and Numerical Analysis Tools
Fixpoint Computation in the Polyhedra Abstract Domain using Convex and Numerical Analysis Tools Yassamine Seladji and Olivier Bouissou CEA LIST CEA Saclay Nano-INNOV Institut CARNOT 91 191 Gif sur Yvette
More informationHow To Test Automatically
Automated Model-Based Testing of Embedded Real-Time Systems Jan Peleska jp@tzi.de University of Bremen Bieleschweig Workshop 7 2006-05-05 Outline Technologie-Zentrum Informatik Objectives Basic concepts
More informationFormal Specification and Verification
Formal Specification and Verification Stefan Ratschan Katedra číslicového návrhu Fakulta informačních technologíı České vysoké učení technické v Praze 2. 5. 2011 Stefan Ratschan (FIT ČVUT) PI-PSC 4 2.
More informationInteger Programming: Algorithms - 3
Week 9 Integer Programming: Algorithms - 3 OPR 992 Applied Mathematical Programming OPR 992 - Applied Mathematical Programming - p. 1/12 Dantzig-Wolfe Reformulation Example Strength of the Linear Programming
More informationo-minimality and Uniformity in n 1 Graphs
o-minimality and Uniformity in n 1 Graphs Reid Dale July 10, 2013 Contents 1 Introduction 2 2 Languages and Structures 2 3 Definability and Tame Geometry 4 4 Applications to n 1 Graphs 6 5 Further Directions
More informationA Static Analyzer for Large Safety-Critical Software
A Static Analyzer for Large Safety-Critical Software Bruno Blanchet Patrick Cousot Radhia Cousot Jérôme Feret Laurent Mauborgne Antoine Miné David Monniaux Xavier Rival ABSTRACT We show that abstract interpretation-based
More informationPractical Guide to the Simplex Method of Linear Programming
Practical Guide to the Simplex Method of Linear Programming Marcel Oliver Revised: April, 0 The basic steps of the simplex algorithm Step : Write the linear programming problem in standard form Linear
More informationMathematical Induction
Mathematical Induction In logic, we often want to prove that every member of an infinite set has some feature. E.g., we would like to show: N 1 : is a number 1 : has the feature Φ ( x)(n 1 x! 1 x) How
More informationAutomatic Test Data Synthesis using UML Sequence Diagrams
Vol. 09, No. 2, March April 2010 Automatic Test Data Synthesis using UML Sequence Diagrams Ashalatha Nayak and Debasis Samanta School of Information Technology Indian Institute of Technology, Kharagpur
More informationAccelerated Invariant Generation for C Programs with Aspic and C2fsm
Accelerated Invariant Generation for C Programs with Aspic and C2fsm Paul Feautrier, Laure Gonnord To cite this version: Paul Feautrier, Laure Gonnord. Accelerated Invariant Generation for C Programs with
More informationAnalyse statique de programmes numériques avec calculs flottants
Analyse statique de programmes numériques avec calculs flottants 4ème Rencontres Arithmétique de l Informatique Mathématique Antoine Miné École normale supérieure 9 février 2011 Perpignan 9/02/2011 Analyse
More informationLargest Fixed-Aspect, Axis-Aligned Rectangle
Largest Fixed-Aspect, Axis-Aligned Rectangle David Eberly Geometric Tools, LLC http://www.geometrictools.com/ Copyright c 1998-2016. All Rights Reserved. Created: February 21, 2004 Last Modified: February
More informationEuler: A System for Numerical Optimization of Programs
Euler: A System for Numerical Optimization of Programs Swarat Chaudhuri 1 and Armando Solar-Lezama 2 1 Rice University 2 MIT Abstract. We give a tutorial introduction to Euler, a system for solving difficult
More informationTermination Checking: Comparing Structural Recursion and Sized Types by Examples
Termination Checking: Comparing Structural Recursion and Sized Types by Examples David Thibodeau Decemer 3, 2011 Abstract Termination is an important property for programs and is necessary for formal proofs
More informationMONPOLY: Monitoring Usage-control Policies
MONPOLY: Monitoring Usage-control Policies David Basin, Matúš Harvan, Felix Klaedtke, and Eugen Zălinescu Computer Science Department, ETH Zurich, Switzerland 1 Introduction Determining whether the usage
More informationPredicate Logic. Example: All men are mortal. Socrates is a man. Socrates is mortal.
Predicate Logic Example: All men are mortal. Socrates is a man. Socrates is mortal. Note: We need logic laws that work for statements involving quantities like some and all. In English, the predicate is
More informationLecture Notes on Linear Search
Lecture Notes on Linear Search 15-122: Principles of Imperative Computation Frank Pfenning Lecture 5 January 29, 2013 1 Introduction One of the fundamental and recurring problems in computer science is
More informationHECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London
HECTOR a software model checker with cooperating analysis plugins Nathaniel Charlton and Michael Huth Imperial College London Introduction HECTOR targets imperative heap-manipulating programs uses abstraction
More informationOn the Modeling and Verification of Security-Aware and Process-Aware Information Systems
On the Modeling and Verification of Security-Aware and Process-Aware Information Systems 29 August 2011 What are workflows to us? Plans or schedules that map users or resources to tasks Such mappings may
More informationProving Non-termination Using Max-SMT
Proving Non-termination Using Max-SMT Daniel Larraz 1, Kaustubh Nimkar 2, Albert Oliveras 1, Enric Rodríguez-Carbonell 1, and Albert Rubio 1 1 Universitat Politècnica de Catalunya, Barcelona 2 University
More informationTesting LTL Formula Translation into Büchi Automata
Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland
More informationBugs, Moles and Skeletons: Symbolic Reasoning for Software Development
Bugs, Moles and Skeletons: Symbolic Reasoning for Software Development Leonardo de Moura and Nikolaj Bjørner Microsoft Research, One Microsoft Way, Redmond, WA, 98052, USA {leonardo, nbjorner@microsoft.com
More informationMathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson
Mathematics for Computer Science/Software Engineering Notes for the course MSM1F3 Dr. R. A. Wilson October 1996 Chapter 1 Logic Lecture no. 1. We introduce the concept of a proposition, which is a statement
More informationSimple Loop Patterns and Rich Loop Invariants
Simple Loop Patterns and Rich Loop Invariants Marc Sango AdaCore CNAM 05-10-2011 Marc Sango (AdaCore CNAM) Simple Loop Patterns and Rich Loop Invariants 05-10-2011 1 / 17 Contents 1 Motivation 2 Principle
More informationhttp://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86
Atlantic Electronic http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 AUTOMATED RECOGNITION OF STUTTER INVARIANCE OF LTL FORMULAS Jeffrey Dallien 1 and Wendy
More informationXML Data Integration
XML Data Integration Lucja Kot Cornell University 11 November 2010 Lucja Kot (Cornell University) XML Data Integration 11 November 2010 1 / 42 Introduction Data Integration and Query Answering A data integration
More informationIndex Selection Techniques in Data Warehouse Systems
Index Selection Techniques in Data Warehouse Systems Aliaksei Holubeu as a part of a Seminar Databases and Data Warehouses. Implementation and usage. Konstanz, June 3, 2005 2 Contents 1 DATA WAREHOUSES
More informationCartesian Factoring of Polyhedra in Linear Relation Analysis
Cartesian Factoring of Polyhedra in Linear Relation Analysis N. Halbwachs and D. Merchat and C. Parent-Vigouroux Vérimag, Grenoble - France {Nicolas.Halbwachs,David.Merchat,Catherine.Parent}@imag.fr Abstract.
More informationTest Case Generation for Ultimately Periodic Paths Joint work with Saddek Bensalem Hongyang Qu Stavros Tripakis Lenore Zuck Accepted to HVC 2007 How to find the condition to execute a path? (weakest precondition
More informationKnow or Go Practical Quest for Reliable Software
Know or Go Practical Quest for Reliable Software Dr.-Ing. Jörg Barrho Dr.-Ing. Ulrich Wünsche AVACS Project meeting 25.09.2014 2014 Rolls-Royce Power Systems AG The information in this document is the
More informationAUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS
TKK Reports in Information and Computer Science Espoo 2009 TKK-ICS-R26 AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS Kari Kähkönen ABTEKNILLINEN KORKEAKOULU TEKNISKA HÖGSKOLAN HELSINKI UNIVERSITY OF
More informationPredicate Logic. For example, consider the following argument:
Predicate Logic The analysis of compound statements covers key aspects of human reasoning but does not capture many important, and common, instances of reasoning that are also logically valid. For example,
More informationHow To Develop A Static Analysis System For Large Programs
Towards the Industrial Scale Development of Custom Static Analyzers John Anton, Eric Bush, Allen Goldberg, Klaus Havelund, Doug Smith, Arnaud Venet Kestrel Technology LLC 4984 El Camino Real #230 Los Altos,
More informationThe ProB Animator and Model Checker for B
The ProB Animator and Model Checker for B A Tool Description Michael Leuschel and Michael Butler Department of Electronics and Computer Science University of Southampton Highfield, Southampton, SO17 1BJ,
More informationLecture 4 Online and streaming algorithms for clustering
CSE 291: Geometric algorithms Spring 2013 Lecture 4 Online and streaming algorithms for clustering 4.1 On-line k-clustering To the extent that clustering takes place in the brain, it happens in an on-line
More informationCHAPTER 3. Methods of Proofs. 1. Logical Arguments and Formal Proofs
CHAPTER 3 Methods of Proofs 1. Logical Arguments and Formal Proofs 1.1. Basic Terminology. An axiom is a statement that is given to be true. A rule of inference is a logical rule that is used to deduce
More informationSoftware safety - DEF-STAN 00-55
Software safety - DEF-STAN 00-55 Where safety is dependent on the safety related software (SRS) fully meeting its requirements, demonstrating safety is equivalent to demonstrating correctness with respect
More informationSoftware Modeling and Verification
Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system
More informationAutomatic Generation of Coq Certificates from Instrumented Static Analyzers
Automatic Generation of Coq Certificates from Instrumented Static Analyzers Manuel Garnacho 1, Michaël Périn 2 1 irit - Université Paul Sabatier (Toulouse III), France 2 Verimag - Université Joseph Fourier
More informationHow To Write A Program Verification And Programming Book
Jose Bacelar Almeida Maria Joao Frade Jorge Sousa Pinto Simao Melo de Sousa Rigorous Software Development An Introduction to Program Verification & Springer Contents 1 Introduction 1 1.1 A Formal Approach
More informationChapter 7: Functional Programming Languages
Chapter 7: Functional Programming Languages Aarne Ranta Slides for the book Implementing Programming Languages. An Introduction to Compilers and Interpreters, College Publications, 2012. Fun: a language
More informationEnvironment Modeling for Automated Testing of Cloud Applications
Environment Modeling for Automated Testing of Cloud Applications Linghao Zhang, Tao Xie, Nikolai Tillmann, Peli de Halleux, Xiaoxing Ma, Jian Lv {lzhang25, txie}@ncsu.edu, {nikolait, jhalleux}@microsoft.com,
More informationFormal Engineering for Industrial Software Development
Shaoying Liu Formal Engineering for Industrial Software Development Using the SOFL Method With 90 Figures and 30 Tables Springer Contents Introduction 1 1.1 Software Life Cycle... 2 1.2 The Problem 4 1.3
More informationPlan-Space Search. Searching for a Solution Plan in a Graph of Partial Plans
Plan-Space Search Searching for a Solution Plan in a Graph of Partial Plans Literature Malik Ghallab, Dana Nau, and Paolo Traverso. Automated Planning Theory and Practice, chapter 2 and 5. Elsevier/Morgan
More informationHigh Performance Computing for Operation Research
High Performance Computing for Operation Research IEF - Paris Sud University claude.tadonki@u-psud.fr INRIA-Alchemy seminar, Thursday March 17 Research topics Fundamental Aspects of Algorithms and Complexity
More informationTwo Flavors in Automated Software Repair: Rigid Repair and Plastic Repair
Two Flavors in Automated Software Repair: Rigid Repair and Plastic Repair Martin Monperrus, Benoit Baudry Dagstuhl Preprint, Seminar #13061, 2013. Link to the latest version Abstract In this paper, we
More informationECON20310 LECTURE SYNOPSIS REAL BUSINESS CYCLE
ECON20310 LECTURE SYNOPSIS REAL BUSINESS CYCLE YUAN TIAN This synopsis is designed merely for keep a record of the materials covered in lectures. Please refer to your own lecture notes for all proofs.
More informationMath Review. for the Quantitative Reasoning Measure of the GRE revised General Test
Math Review for the Quantitative Reasoning Measure of the GRE revised General Test www.ets.org Overview This Math Review will familiarize you with the mathematical skills and concepts that are important
More informationChapter 2: Linear Equations and Inequalities Lecture notes Math 1010
Section 2.1: Linear Equations Definition of equation An equation is a statement that equates two algebraic expressions. Solving an equation involving a variable means finding all values of the variable
More information